Auditing suppliers - ISO 27001/Data Protection
We are using Conformio and also have your Data Protection kit. One thing common to both is the need to audit suppliers. Our supply contracts will not justify in person audits or even lengthy on line audits. I have your internal audit booklet, have been through your internal audit course a coupe of times and carried out an internal audit for our company. However, our supply contracts will not justify in person audits or even lengthy on line audits (like our internal audit).
Do you have any guidance/resource for carrying out a “lighter” audit e.g. checklists/questionnaires/guidance on what to look for? I can construct something but wondered if you had anything.
Assign topic to the user
If you want to create a short checklist for a second-party audit (supplier audit), the best would be to read the security clauses from the agreement with this supplier, and list each security requirement as an item in your checklist.
For a guide on how to perform a remote audit, watch the recording of this webinar: How to Perform a Remote Audit https://advisera.com/training/how-to-perform-remote-audit/
Hello.
One "lighter" audit you can perform is to check if the supplier is ISO27001-certified, if they have a SOC2 audit report to read through and penetration test reports as a way of evaluating their security posture and to see if they fulfill your security requirements. In SOC2 audit reports usually list any deficiencies identified, the fact that the supplier is ISO27001-certified means that they have passed both an internal audit and external audit, with no Major Non-Conformity which is a good sign in itself, penetration test reports can show what sort of vulnerabilities were identified and you can ask the supplier how and when they addressed these vulnerabilities.
This "lighter" audit is a valid option especially in the case when you have signed standard agreements with SaaS-based or cloud providers that don't give you the option of signing a tailored agreement with your specific security clauses and so restrict you from performing onsite or remote audits.
If they don't have anything, then unfortunately, the only thing you can resort to are Information Security Questionnaires that they need to fill out and read their replies. Since anything written can potentially be a lie unless you verify it, you can also request samples of evidence for any claims they have in terms of control and evaluate this.
If they don't even provide that, then maybe you should flag this supplier as risky and bring it up to management whether arrangements and plan to replace the supplier with another supplier should be considered.
Comment as guest or Sign in
Aug 23, 2022